MessageIdVersionQualifiersLevelTaskOpcodeKeywordsRecordIdProviderNameProviderIdLogNameProcessIdThreadIdMachineNameUserIdTimeCreatedActivityIdRelatedActivityIdContainerLogMatchedQueryIdsBookmarkLevelDisplayNameOpcodeDisplayNameTaskDisplayNameKeywordsDisplayNamesProperties
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x2D84C Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xcd8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481617752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481617751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84461fed9b8126b89643388b57de7808_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481617750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:55:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BDB9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:53:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BDB9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:53:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BDB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:53:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:53:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732657 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732657 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732657 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F946 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F946 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F946 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EB16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC05 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC05 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EC05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EBBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EBBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EBBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EB16 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2065638930-1159578492-2166975384-1639386062 Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72EB16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B1F2612-C37C-451D-986B-2981CE0BB761 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:50:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710372 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:47:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x715C45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x715C45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x715C45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712DBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712DBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712DBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:45:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710217 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710372 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710372 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710319 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710319 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710319 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7102CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7102CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7102CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710217 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-427886665-1103698488-4149026478-3900704492 Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x710217 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 19810849-1A38-41C9-AE1E-4DF7EC0680E8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700FC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:44:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x704911 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:43:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x704911 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:43:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x704911 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:43:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:43:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x701C98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x701C98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x701C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700E7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700FC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700FC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F22 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700F22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700E7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1757348993-1199619255-3045842331-491326312 Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700E7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68BF0481-BCB7-4780-9BDD-8BB5680B491D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC842 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB8D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB8D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB8D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:42:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F028E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F028E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F028E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ED50D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ED50D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ED50D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC6FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC842 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC842 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7E9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC7A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC6FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4130251295-1337646696-962611097-1018962737 Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EC6FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F62EA21F-DE68-4FBA-9947-60393123BC3C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:40:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E0659 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E0659 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E0659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD869 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD869 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD869 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCA55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCB44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCAFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCAFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCAFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCA55 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1219845146-1172861992-3684406663-169407554 Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DCA55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48B55C1A-7428-45E8-8795-9BDB42F4180A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CAA45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:38:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE2F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:37:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE2F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:37:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE2F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:37:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:37:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CB741 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CB741 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CB741 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA892 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CAA45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CAA45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA981 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA981 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA981 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA938 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA938 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA938 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA892 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-783170008-1245793654-126955658-2991375465 Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA892 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EAE39D8-4D76-4A41-8A30-910769C44CB2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202912n-h1-853682-1.cbci-853682-1.local8/18/2022 6:36:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9799 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:35:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BD07F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BD07F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BD07F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA46C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA46C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA46C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9651 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9799 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9799 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9740 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9740 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9740 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B96F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B96F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B96F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9651 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1466981040-1215600627-1424814269-2955089741 Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B9651 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57705AB0-97F3-4874-BDF0-EC544D1723B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x6B84DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x6B84DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98E686C4-25D1-F77E-5914-33EF729A88ED} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x6B84DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A67C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:34:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA1A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA1A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AA1A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A749A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A749A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A749A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A667D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A67C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A67C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A676C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A676C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A676C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A6723 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A6723 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A6723 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A667D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1097445893-1266248796-3347312569-1521938035 Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A667D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4169B205-6C5C-4B79-B9EF-83C773EEB65A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:33:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6981A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:32:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BAFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BAFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BAFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698E76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698E76 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698E76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69805B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6981A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6981A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69814A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69814A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69814A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698101 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698101 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x698101 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69805B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-744632801-1274048050-4099781290-794130156 Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69805B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C6231E1-6E32-4BF0-AAB2-5DF4EC76552F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:31:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687A8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687A8F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687A8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68451E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68451E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68451E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x681750 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x681750 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x681750 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680942 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A8A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A31 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680A31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6809E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6809E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6809E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680942 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2190353043-1217380184-748949939-15302391 Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x680942 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 828E2293-BF58-488F-B311-A42CF77EE900 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665032 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:29:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66BEF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66BEF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66BEF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6689B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6689B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6689B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665D8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665D8F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665D8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664EEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665032 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665032 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664FD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664FD9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664FD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664F90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664F90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664F90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664EEA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7854274-1174920258-3495950773-529682574 Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x664EEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0077D8C2-DC42-4607-B5F9-5FD08E50921F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:25:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654C25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65B922 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65B922 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65B922 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6584DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6584DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6584DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6558E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6558E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6558E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654AD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654C25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654C25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654BC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654BC8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654BC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654B7F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654B7F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654B7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654AD9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1690343160-1233759864-4014600123-3833830549 Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654AD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 64C096F8-AE78-4989-BBEF-49EF959C83E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:24:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645E0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64CBCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64CBCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64CBCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64973B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64973B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64973B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646AC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646AC3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646AC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645CC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645E0B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645E0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645DB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645DB2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645DB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645D69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645D69 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645D69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645CC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2293777787-1258747961-2615653794-4206640864 Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645CC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88B8457B-F839-4B06-A2B5-E79BE03EBCFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636AC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63ED03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63ED03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63ED03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:23:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A6A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A6A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A6A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x637816 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x637816 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x637816 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636981 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636AC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636AC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A70 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A27 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636A27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636981 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1046450995-1093062545-2664155028-3608270731 Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x636981 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E5F9333-CF91-4126-94C7-CB9E8BD711D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:22:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6294E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CE43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CE43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CE43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A19D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A19D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A19D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62939F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6294E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6294E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62948D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62948D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62948D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x629444 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x629444 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x629444 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62939F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675151559-1308373568-1247411900-1181054858 Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62939F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB0E5CC7-3240-4DFC-BCFE-594A8A776546 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:21:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B538 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EEAC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EEAC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61EEAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DBD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DBD8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61DBD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C1FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C1FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C1FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B3F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B538 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B538 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B4DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B4DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B4DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B496 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B496 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B496 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B3F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120326724-1253832134-3132381857-2879649627 Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B3F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42C6D444-F5C6-4ABB-A15A-B4BA5BF7A3AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608FCF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:20:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612EE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:19:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612EE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:19:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612EE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:19:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:19:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D9A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D9A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D9A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609C7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609C7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609C7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608E88 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608FCF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608FCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F76 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F2D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608F2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608E88 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-535156632-1204840703-634412195-3350443586 Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608E88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FE5D798-68FF-47D0-A35C-D02542B6B3C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601044 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602FC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602FC6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602FC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DDF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600EFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601044 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FEB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FA2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600EFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2299764050-1134582243-3133185926-944695290 Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600EFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89139D52-59E3-43A0-869F-C0BAFAE74E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F40DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:18:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7B62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7B62 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F7B62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4D8D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4D8D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4D8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F3F92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F40DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F40DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4081 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4081 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4081 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4038 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4038 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F4038 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F3F92 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-392356524-1228253648-3751985855-753300304 Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F3F92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1762E2AC-A9D0-4935-BFC2-A2DF5073E62C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E58E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:17:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E931D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E931D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E931D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E6597 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E6597 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E6597 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5795 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E58E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E58E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5885 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5885 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5885 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E583A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E583A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E583A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5795 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2593853142-1339214013-420482488-3438963371 Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E5795 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A9B0ED6-C8BD-4FD2-B80D-1019AB6AFACC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:16:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB128 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD008 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD008 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD008 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBE29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBE29 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBE29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB128 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB0CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB0CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB0CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB082 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB082 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB082 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFDC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3346953564-1180680842-578037659-2471890948 Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C77E755C-C28A-465F-9B27-742204105693 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49245 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49244 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABFA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49243 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABF9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49242 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5DABB0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:15:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9CF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:14:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD540 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD540 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CD540 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA9B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA9B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA9B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9BAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9CF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9CF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9C4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9BAA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672428736-1336769618-211144593-3362375038 Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C9BAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F4A06C0-7C52-4FAD-91CF-950C7EC569C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0812 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0FAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2E6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2E6D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2E6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1C97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1C97 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1C97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0E5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0FAA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0FAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0F04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0E5D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2666779425-1161945175-164446644-1760607688 Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0E5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9EF3D321-E057-4541-B441-CD09C8BDF068 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0951 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0955 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49229 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49228 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0955 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0951 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0950 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0950 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49227 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0950 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0812 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 49226 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x5C0812 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1846 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:12:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B5175 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B5175 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B5175 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B25F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B25F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B25F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B16FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1846 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1846 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481617120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B17A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B16FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3605224240-1290660775-376298680-3764348861 Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B16FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6E35B30-EBA7-4CED-B8DC-6D16BD675FE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7291 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AAD64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AAD64 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AAD64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7F5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7F5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7F5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7145 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7291 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7291 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7234 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7234 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7145 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-664395333-1232603318-3830144133-3009183503 Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A7145 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2799DE45-08B6-4978-855C-4BE40F7F5CB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:11:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BFA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:10:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F80B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F80B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F80B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204796n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58CC71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58CC71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58CC71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BE59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BFA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BFA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BF48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BF48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BF48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8203576n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BEFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BEFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BEFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BE59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-307015596-1157230708-1988221837-157096416 Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58BE59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124CAFAC-F074-44F9-8DDB-8176E0195D09 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D1F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:05:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x580A48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x580A48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x580A48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57DEC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57DEC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57DEC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D0AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D1F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D1F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D19C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D19C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D19C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D153 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D153 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D153 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D0AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3731407711-1148768642-896617138-3875381594 Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57D0AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DE68C35F-D182-4478-B24A-71355AA1FDE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570579 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:03:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573F46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573F46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573F46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57124A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57124A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57124A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570431 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570579 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570579 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570520 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570520 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5704D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5704D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5704D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570431 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1377427889-1173240973-2547093159-595797546 Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x570431 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5219E1B1-3C8D-45EE-A78E-D1972A268323 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:02:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5641FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5641FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5641FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5605BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5605BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5605BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F7B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F8A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F858 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F858 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F858 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F7B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-61101171-1193701692-3247040940-3375150173 Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F7B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03A45473-713C-4726-ACE9-89C15DB42CC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 6:00:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554CB9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x558853 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x558853 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x558853 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555A75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555A75 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555A75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554B71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554CB9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554CB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C60 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C17 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554C17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554B71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-856352668-1224084751-576348067-801111359 Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554B71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 330AE79C-0D0F-48F6-A35F-5A223FFDBF2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53964D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:59:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFAF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53B2CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53B2CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53B2CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53947C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53964D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53964D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5395AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5395AC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5395AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539534 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539534 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x539534 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53947C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2961435132-1276454938-1534764475-813939850 Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53947C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B083E9FC-281A-4C15-BBA5-7A5B8ABC8330 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524326 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:53:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52924C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52924C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52924C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x526335 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x526335 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x526335 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5241CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524326 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524326 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5242CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5242CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5242CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524283 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5241CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-747006992-1211565449-2155129752-1952618146 Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5241CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C866C10-0589-4837-98AB-7480A2966274 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:50:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E292 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x501A58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x511D3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x511D3B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x511D3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50EFCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50EFCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50EFCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E14A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E292 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E292 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E239 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E239 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E239 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E1F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E1F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E1F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E14A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2235336139-1102981469-4048986273-2906933841 Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50E14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 853C85CB-295D-41BE-A1A0-56F1514A44AD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:49:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50672D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50672D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50672D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503970 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503970 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503970 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5018FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x501A58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x501A58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5019B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5018FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2121852562-1286091913-1800122251-3177773899 Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5018FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7E78E692-3489-4CA8-8BAF-4B6B4BFB68BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:48:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF5E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA36D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CCF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CB8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0DAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0D1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F3B5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F3B5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F3B5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F03B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F03B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F03B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF49F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF5E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF5E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF58D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF58D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF58D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF544 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF544 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF544 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF49F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2303506218-1115430160-908217741-53209044 Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EF49F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 894CB72A-1D10-427C-8D4D-2236D4E72B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:47:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0277 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6500 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6500 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6500 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5788 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5788 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5788 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E24A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E24A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E24A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E011C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0277 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0277 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E021E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E021E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E021E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E01D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E01D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E01D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E011C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1374040514-1315219255-2455779968-2295563609 Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E011C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51E631C2-A737-4E64-803A-60925985D388 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF5B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF5B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF5B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0BFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D1DEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9F72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0E69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D1670 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:46:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0E41 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9F72 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D9F72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D66EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D66EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D66EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D6619 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D6619 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D6619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D647E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D647E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D647E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D1F01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D1F21 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D1F0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D1F21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECC2822D-3B42-D930-D729-E635BA0B0B2E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65469 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D1F0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECC2822D-3B42-D930-D729-E635BA0B0B2E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65468 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D1F01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECC2822D-3B42-D930-D729-E635BA0B0B2E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65467 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D1DEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ECC2822D-3B42-D930-D729-E635BA0B0B2E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65466 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D1670 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65466 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4D0F24 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0F24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0EBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0EBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0EBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0E69 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-712873932-1226349313-2575423150-3358229092 Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0E69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A7D97CC-9B01-4918-AED6-819964822AC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0E41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0E41 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0DAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65473 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0DAE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0D1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65473 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0D1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0CE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65472 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CE4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0CCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65472 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CCF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0CB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65472 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CB8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0CA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65472 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0CA7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0C75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65471 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C75 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65469 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C4E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0C3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65468 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C3B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0C2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65467 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0C2C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4D0BFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65466 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4D0BFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDD73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDD73 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDD73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CB042 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CB042 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CB042 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA225 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA36D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA36D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA314 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA314 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA314 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA2CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA2CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA2CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA225 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1352767789-1149578528-3045320113-1678166483 Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA225 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 50A1992D-2D20-4485-B1E5-83B5D3C90664 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C624 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:45:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B551D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB8E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB8E9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BB8E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B78B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B78B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B78B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B53C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B551D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B551D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B54C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B54C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B54C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B547A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B547A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B547A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B53C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-446442735-1101736468-2740329101-2365446992 Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B53C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A9C2CEF-2A14-41AB-8D1A-56A350DBFD8C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:44:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A399E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9F85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9F85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9F85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A73ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A73ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481616686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A73ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A383F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A399E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A399E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A3940 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A3940 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A3940 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A38F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A38F6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A38F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A383F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3436726883-1243056811-793330098-384294364 Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A383F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CCD84A63-8AAB-4A17-B241-492FDCDDE716 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D55 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49803B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A0B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A0B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A0B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498D60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498D60 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498D60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497EF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49803B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49803B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497FE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497FE2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497FE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497F99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497F99 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497F99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497EF3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1844205232-1194500007-861314203-3035965722 Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497EF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DEC56B0-9FA7-4732-9B9C-56331A29F5B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65448 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65449 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65447 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D9A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65446 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x496D55 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:43:00 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496AF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:42:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496AF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496AF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:42:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4900FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4900FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4900FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D2FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D2FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D2FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C4D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C624 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C624 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C5C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C5C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C5C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C57E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C57E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C57E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C4D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1217951713-1253873983-2676134321-2597867828 Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48C4D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 489877E1-993F-4ABC-B191-829F3451D89A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475836 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DDA6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:41:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x475253 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CECC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CECC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CECC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C0AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C0AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47C0AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B94D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B94D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47B94D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47780A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47780A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47780A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476620 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476620 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476620 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475836 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475836 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475794 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475794 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x475794 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756EF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1128135225-1192433807-3950342553-434240488 Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 433DFA39-188F-4713-9971-75EBE8FBE119 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65434 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65435 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204364n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65433 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x4752A3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x475253 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65432 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x475253 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47272E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47272E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47272E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46EA6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46EA6A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46EA6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DC5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DDA6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DDA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DD04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DC5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-698380279-1304027783-2652995000-2941231963 Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46DC5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29A06FF7-E287-4DB9-B87D-219E5BA34FAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:40:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442365 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44F027 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45C74F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45C74F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45C74F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BCB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BCB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BCB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45935A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45935A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45935A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4583B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4583B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4583B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457C59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457C59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457C59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:39:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4529EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4529EE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4529EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44FD11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44FD11 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44FD11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EEE0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44F027 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44F027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EFCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EFCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EFCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EF85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EF85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EF85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EEE0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3148553072-1145072532-543002016-2006890010 Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EEE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBAB1B70-6B94-4440-A08D-5D201AB69E77 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C475 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C475 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C475 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B6A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B6A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B6A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44AF64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44AF64 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44AF64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445D41 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445D41 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x445D41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:38:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443024 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443024 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443024 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442218 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442365 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44230C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44230C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44230C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4422BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4422BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4422BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442218 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2987343048-1214737867-3740701880-883998509 Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x442218 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B20F3CC8-6DCB-4867-B894-F6DE2DBFB034 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB239 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4271 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414ED5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F6A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CA7F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CA7F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CA7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:37:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4233F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4233F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4233F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420493 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420493 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420493 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F55B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F6A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F6A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F649 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F649 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F649 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F600 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F600 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F600 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F55B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1226611462-1238448748-848583310-3622342277 Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41F55B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 491C9B06-3A6C-49D1-8E5A-9432858EE8D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:36:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419139 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419139 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419139 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202060n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x415C06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x415C06 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x415C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414CE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414ED5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414ED5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DD5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414D87 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414D87 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414D87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414CE2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3702924914-1287408051-3100242572-2761001312 Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414CE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCB62672-49B3-4CBC-8CF2-C9B8608991A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B79C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40F403 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40F403 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40F403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40C5BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40C5BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40C5BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B654 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B79C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B79C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B743 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B743 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B743 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B6FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B6FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B6FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B654 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2340621866-1083693345-4238972338-3527311160 Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40B654 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B830E2A-D921-4097-B295-A9FC387F3ED2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400733 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x405457 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x405457 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x405457 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401526 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401526 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401526 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4005E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400733 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400733 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4006D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4006D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4006D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40068A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40068A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40068A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4005E5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-788829847-1194733033-1500968065-699219490 Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4005E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2F049697-2DE9-4736-81F4-7659223EAD29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F449F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:35:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F8391 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F8391 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F8391 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F52D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F52D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F52D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4351 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F449F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F449F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4446 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4446 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4446 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F43FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F43FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F43FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4351 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090246567-1314638517-3456485299-3124144272 Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4351 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CC35A7-CAB5-4E5B-B3C7-05CE90A836BA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:34:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC509 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7DC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7DC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7DC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4F90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4F90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4F90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4126 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4271 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4271 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4218 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4218 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4218 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E41CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E41CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E41CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4126 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1709091573-1316700732-3820550289-2575242724 Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E4126 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65DEAAF5-423C-4E7B-91F8-B8E3E4157F99 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0416 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0416 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E0416 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:33:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD223 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD223 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD223 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC3C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC509 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC509 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC4B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC4B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC4B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC467 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC467 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC467 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC3C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2311615627-1287060766-3885997967-1864321847 Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DC3C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 89C8748B-FD1E-4CB6-8F9F-9FE7374B1F6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C43F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D4457 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D4457 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D4457 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:32:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D086B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D086B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D086B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDA99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDA99 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CDA99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:31:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9F57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9F57 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C9F57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6DD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6DD9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6DD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C427E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C43F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C43F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C438B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C438B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C438B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C433D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C433D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C433D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C427E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2383928647-1320925831-1238517898-3786656733 Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C427E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E17DD47-BA87-4EBB-8A48-D249DDCBB3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:30:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC00B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC00B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC00B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB239 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB239 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB1E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB1E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB1E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB197 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB197 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB197 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0F1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3701802760-1190227207-3136621697-2357382615 Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCA50708-6D07-46F1-810C-F5BAD7CD828C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D659 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:29:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AC55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:28:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D86A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39971D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39971D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39971D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:27:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385865 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387BA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387BA9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387BA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x386673 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x386673 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x386673 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38571E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385865 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385865 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38580C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38580C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38580C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3857C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3857C3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3857C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38571E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1308946389-1113366728-2334325382-1182014412 Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38571E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4E04EFD5-A0C8-425C-86FA-228BCC1B7446 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3771CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F85D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F85D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F85D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BA2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BA2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BA2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AB0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AC55 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AC55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABB3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABB3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37ABB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AB0E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-407643175-1241513716-340714151-293708416 Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37AB0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 184C2427-FEF4-49FF-A7E2-4E1480A28111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37953E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37953E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37953E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x378012 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x378012 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x378012 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377082 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3771CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3771CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377171 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377171 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377171 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377128 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377128 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377082 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3483479771-1334956783-2016126370-2946317432 Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x377082 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFA1AEDB-D2EF-4F91-A2A5-2B78783C9DAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:26:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372AD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372AD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372AD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371E9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371E9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x371E9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F388 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F388 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36F388 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E38F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E38F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E38F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBBF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBBF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360A3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36535A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36535A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36535A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3617F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3617F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3617F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3608F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360A3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360A3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36099D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36099D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36099D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3608F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2855125602-1212868341-1763130756-2238479968 Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3608F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA2DC262-E6F5-484A-843D-1769607E6C85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:25:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353809 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357486 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357486 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357486 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3545A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353809 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353809 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3537B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3537B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3537B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353767 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353767 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x353767 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1340454962-1194881938-2891393978-1069720033 Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4FE5B832-7392-4738-BA2B-57ACE1A1C23F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x351D78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x351D78 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x351D78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34E3DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34E3DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34E3DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D511 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D659 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D600 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D600 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D600 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D5B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D5B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D5B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D511 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3304351371-1201718435-4124542130-3752281380 Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34D511 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4F4668B-C4A3-47A0-B284-D7F52445A7DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D1D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345583 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345583 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x345583 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E355 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E355 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E355 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33CF2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D1D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D1D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D114 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D114 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D114 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D067 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D067 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D067 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33CF2A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3718534057-1276583479-2458262416-3206224 Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33CF2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDA453A9-1E37-4C17-901B-869250EC3000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:24:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A8EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309B40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x325559 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x325559 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x325559 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F54B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F54B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31F54B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D0FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D0FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31D0FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B6EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B6EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B6EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:30 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A7A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A8EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A8EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A891 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A891 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A891 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A848 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A848 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A848 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A7A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2899694625-1322930365-3868062372-2448332975 Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A7A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACD5D421-50BD-4EDA-A4F2-8DE6AF98EE91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1E2C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E9FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E9FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30E9FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B5FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B5FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B5FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309716 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309B40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309B40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3099B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3099B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3099B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3098F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3098F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3098F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309716 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-728785613-1171562165-1535750055-3005996503 Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x309716 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2B7062CD-9EB5-45D4-A7AF-895BD7DD2BB3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30115B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30115B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30115B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB1D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB1D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB1D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D9801 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F313C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F313C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F313C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1B37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1E2C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1E2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1DC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1DC1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1DC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1CB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1CB2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1CB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1B37 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4136547660-1076878211-3373937588-4056226592 Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F1B37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F68EB54C-DB83-402F-B433-1AC9201BC5F1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E74F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E74F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E74F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E3D4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB370 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:23:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DE844 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DE844 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DE844 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA514 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA514 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA514 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D96BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D9801 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D9801 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D97A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D97A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D97A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D975F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D975F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D975F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D96BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3226850190-1339531134-1512548030-2057583289 Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D96BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C055D38E-9F7E-4FD7-BEA6-275AB93AA47A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8E64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8E64 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8E64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8539 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D86A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D86A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D864A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D864A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D864A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D85F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D85F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D85F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8539 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3868158721-1292774684-2721338534-213491362 Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D8539 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E68F6B01-2D1C-4D0E-A654-34A2A29EB90C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D280A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D280A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D280A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B63A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CC114 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CC114 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CC114 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB219 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB370 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB370 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB308 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB308 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB308 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB2BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB2BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB2BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB219 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-85736424-1119520176-2995059627-1555704779 Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CB219 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 051C3BE8-85B0-42BA-ABFB-84B2CB2BBA5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:22:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25066E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C11EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C11EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C11EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263991 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B70FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B70FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B70FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B624C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B63A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B63A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B634C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B634C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B634C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6303 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6303 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6303 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B624C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4188755253-1151153386-499386503-3137892614 Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B624C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F9AB5535-34EA-449D-8708-C41D067108BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27425F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:21:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C672 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5910 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5910 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5910 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2987D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ED60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ED60 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29ED60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D4B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D4B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D4B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C4B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C672 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C672 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C619 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C619 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C556 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C556 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C4B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2588511253-1177936663-2217875597-3927770760 Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C4B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A498C15-E317-4635-8D18-328488061DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299575 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299575 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299575 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29868B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2987D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2987D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298779 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298779 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298730 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298730 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298730 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29868B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959586488-1266922878-1417703318-3408503907 Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29868B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B067B4B8-B57E-4B83-966F-805463A429CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D8BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29188A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29188A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29188A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E686 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E686 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28E686 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D776 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D8BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D8BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D865 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D865 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D865 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D81C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D81C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D81C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D776 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-514160483-1204683329-2557944451-3983811985 Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28D776 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1EA57763-0241-47CE-8322-7798912574ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:20:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DFB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28370F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28370F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28370F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EDBB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EDBB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EDBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DE70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DFB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DFB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DF15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DE70 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-917034608-1098778097-3480998073-1670263442 Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27DE70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36A8D670-05F1-417E-B9D0-7BCF92328E63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BB45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BB45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BB45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DDF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2750E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2750E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2750E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x273EE0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27425F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27425F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274198 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274198 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x274198 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27414F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27414F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27414F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x273EE0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3561659120-1182598292-1590407325-1076849353 Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x273EE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D44A9AF0-0494-467D-9DB0-CB5EC96A2F40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2734E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2734E2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2734E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26EBBB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26EBBB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26EBBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DC32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DDF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DDF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DD4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DC32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416299338-1164334577-663622576-2141037534 Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26DC32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D0394A-55F1-4566-B013-8E27DEA39D7F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x269FF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x269FF8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x269FF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:19:01 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266936 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266936 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266936 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2646B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2646B9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2646B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263830 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263991 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263991 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26391E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26391E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26391E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2638D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2638D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2638D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263830 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179499390-1279517754-3829932944-3081012216 Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263830 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464DBB7E-E43A-4C43-9023-48E4F883A4B7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D403 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D403 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25D403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BBAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BBAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BBAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE26 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD37 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1725890563-1124782533-394831274-2824004560 Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66DF0003-D1C5-430A-AAA5-8817D0E352A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256135 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256135 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256135 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252959 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252959 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x252959 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25134C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25134C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25134C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250527 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25066E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25066E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250615 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250615 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250615 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2505CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2505CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2505CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250527 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1513413354-1259158370-920082608-2092648433 Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250527 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A34DAEA-3B62-4B0D-B058-D736F147BB7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24DFBA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24DFBA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24DFBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D13C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D283 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D22A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D22A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D22A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D1E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D1E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D1E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D13C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3419140453-1293593061-992661920-300009844 Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D13C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBCBF165-A9E5-4D1A-A0D1-2A3B74C9E111 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233711 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:18:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2396EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240624 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240624 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x240624 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:52 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2262B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23A47F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23A47F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23A47F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2395A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2396EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2396EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239692 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239692 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239692 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239649 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239649 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239649 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2395A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4163550276-1154328326-740228784-1064373722 Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2395A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F82ABC44-A706-44CD-B0FE-1E2CDA0D713F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237C41 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237C41 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x237C41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB370 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234407 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234407 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2335C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233711 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233711 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2336B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2336B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2336B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23366F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23366F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23366F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2335C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3675422678-1123998950-531429547-469250453 Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2335C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DB127FD6-DCE6-42FE-ABF8-AC1F9531F81B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A08C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111069 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B925 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14121A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204492 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20447D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204462 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC8D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC78 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBB8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB93E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB929 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB912 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB4CE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB48E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204569 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x2044C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBCB3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB39B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB38A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBB25 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB968 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB6D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB5F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB7EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF645C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB473 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22C612 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22C612 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22C612 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133C47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AC6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:17:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227142 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227142 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227142 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22616C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2262B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2262B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22625E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22625E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22625E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226215 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226215 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x226215 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22616C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1230377135-1182753228-4236504476-978776548 Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22616C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 495610AF-61CC-467F-9CED-83FCE4F1563A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4274 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199387 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E54F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2021CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1F89EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207D3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB53D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x204D1E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213355 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213355 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213355 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x2047A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20E9FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A3D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A3D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A3D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20731D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207D3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207D3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B1D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207842 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207842 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207842 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20731D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1793239436-1088931206-199975614-2788917986 Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20731D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6AE2A98C-C586-40E7-BE62-EB0BE2823BA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x205B7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x205B7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x205B7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205959 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205959 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205959 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2057AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2057AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2057AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:32 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204D1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65108 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x2047D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x2047D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x2047A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x2047A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204569 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204569 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x2044C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x2044C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204492 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204492 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x20447D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20447D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204462 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204462 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204407 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204427 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20440D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204427 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204427 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x20440D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x204407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65126 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20440D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x204407 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:31 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20217E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2022D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2022D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2022D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2021CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3964444840-1335830534-3420713100-4245154687 Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2021CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC4CA0A8-2806-4F9F-8CF0-E3CB7FEB07FD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x20217E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E61205C0-4719-F99B-E435-DAEC76519710} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-853682-1@CBCI-853682-1.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x20217E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA79E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200473 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200473 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBCB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBCB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBC8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC8D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBC78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC78 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBC61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBC61 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBBE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBE4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBBBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBBE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBBA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBBA9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBB8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBB8A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBB25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBB25 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBAFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAFF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBAEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAEA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FBAD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FBAD3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB968 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB968 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB93E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB93E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB929 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB929 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB912 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB912 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB7EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65122 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB7EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB6D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB6D9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB5F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB5F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB4CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB4CE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB48E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB48E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB3DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB3C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB3B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB3B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB39B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB39B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB38A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65120 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB38A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1FB370 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65119 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1FB370 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:16:14 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1F89EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65108 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1F89EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5DC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5DC6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F5DC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F38C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F38C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F38C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A943A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A941F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A93FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8BD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8B82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8B01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8860 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8843 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8818 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A820E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A81EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A81BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7FE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7FD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7F9D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AFC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AFB3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A94AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8D21 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF9A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A88CE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8678 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8230 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A83FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A800F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B1E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B0F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F079D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F079D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F079D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EC45F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EC45F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EC45F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB3F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB53D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB53D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB4E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB4E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB4E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB49B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB49B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB49B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB3F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-775671146-1201810908-185470339-533227155 Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB3F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E3BCD6A-2DDC-47A2-830D-0E0B9366C81F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA55A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA79E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA79E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA745 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA745 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA745 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA6FB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA6FB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA6FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA55A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1668104887-1212046514-2922723200-3124530812 Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EA55A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 636D42B7-5CB2-483E-8037-35AE7C8E3CBA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E98ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E98ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E98ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E63BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E63BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E63BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E53A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E54F1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E54F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5498 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5498 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E5498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E544B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E544B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E544B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E53A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4184602990-1223208504-1026236811-862462947 Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E53A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F96BF96E-AE38-48E8-8B21-2B3DE3236833 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ACA36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:15:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C90DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0D08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0D08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D0D08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CA3DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CA3DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CA3DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8E98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C90DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C90DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C902D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C902D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C902D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8FA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8FA2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8FA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8E98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1531551697-1117861938-2206483374-3663841067 Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8E98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B499FD1-3832-42A1-AE43-84832BC761DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A9E33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1DDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153CB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA072 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA072 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BA072 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4C5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4C5E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B4C5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B313B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B313B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B313B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1C94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1DDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1DDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D82 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D39 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D39 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1D39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1C94 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3599045528-1242170642-2929889444-1119578305 Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1C94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6851398-0512-4A0A-A490-A2AEC168BB42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B0FBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B0FBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B0FBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19C129 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x18FA26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD899 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD899 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD899 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC8ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ACA36 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ACA36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:12 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC9DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC9DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC9DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC994 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC994 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC994 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC8ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-416444878-1315745551-674871958-145705976 Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AC8ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 18D271CE-AF0F-4E6C-96BA-3928F84BAF08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19B9B7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA03E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA041 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA03E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65054 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA035 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA03E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA041 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65055 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA041 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA035 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65053 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1AA035 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A9E33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-853682-1 Source Network Address: 10.222.0.18 Source Port: 65052 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A9E33 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A94AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A94AF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A943A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A943A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A941F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A941F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A93FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A93FC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8D21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8D21 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8BD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8BD9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8B82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8B82 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8B01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8B01 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A88CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A88CE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8860 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8860 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8843 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8843 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8818 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8818 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8678 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8678 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A83FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A83FE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A8230 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A8230 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A820E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A820E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A81EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A81EB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A81BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A81BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A800F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A800F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A7FE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7FE9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A7FD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7FD0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A7F9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A7F9D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B2A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4274 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4274 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:14:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A0362 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1A0362 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1A0362 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FF8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FF8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FF8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FDBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FDBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19FDBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19C263 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19C23A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19C24C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19C263 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47AB1897-CD20-AAD5-4FDB-B3DA9FB8D23F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65039 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19C24C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47AB1897-CD20-AAD5-4FDB-B3DA9FB8D23F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65038 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19C23A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47AB1897-CD20-AAD5-4FDB-B3DA9FB8D23F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65037 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19C129 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47AB1897-CD20-AAD5-4FDB-B3DA9FB8D23F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65031 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19B9B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65031 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x19B2C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19B2C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19B2A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B2A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19B1E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B1E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19B0F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19B0F3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AFC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AFC8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AFB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AFB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AF9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF9A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AF88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65041 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF88 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AF6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65040 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AF6C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AD79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65039 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD79 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AD68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65038 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD68 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x19AD4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65037 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x19AD4C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x199349 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1993F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1993F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1993F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199387 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710443750-1167462892-643281795-1015471206 Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199387 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A18E16E6-11EC-4596-83B3-572666DC863C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x199349 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1509F093-19F0-5719-17A4-3395DF2F0B3C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-853682-1@CBCI-853682-1.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x199349 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:53 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x18FA26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 65031 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x18FA26 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FADD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B8FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B8FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B8FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1760B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A702 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A702 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17A702 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176F4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176F4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176F4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175F59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1760B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1760B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176047 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176047 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x176047 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175FFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175FFE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175FFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175F59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-894648003-1167669908-939647668-3168711214 Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x175F59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35533EC3-3A94-4599-B4E2-01382EB2DEBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140555 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174748 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174748 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:13:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17099F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17099F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17099F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:55 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F991 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FADD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FADD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA84 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA3B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FA3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F991 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-978784678-1080541837-2194595261-3060163251 Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F991 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3A5711A6-C28D-4067-BDDD-CE82B36266B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:54 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155AEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169AC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169AC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x169AC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140671 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x14061B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1405C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA77 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140A82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA4F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x14094E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AB56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AAC3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10276E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1602F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1602F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1602F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15EFC5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15EFC5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15EFC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:35 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107115 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1569B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1569B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1569B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1559A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155AEF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155AEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155A4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1559A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-198783904-1214557614-3414720136-1962543117 Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1559A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0BD933A0-ADAE-4864-887E-88CB0D08FA74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:27 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154ABE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154ABE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x154ABE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153B71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153CB8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153CB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C5F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C5F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:25 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C16 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153C16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153B71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-996506680-1103465281-434088331-1499578683 Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x153B71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B657C38-8B41-41C5-8BA9-DF193BC16159 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x151CC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x151CC2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x151CC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:13 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C979 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x142DAF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:12:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x141FD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1213DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x141110 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B925 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14B925 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x147A3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x147A3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x147A3C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1475EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1471E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1471E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1471E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x142EDA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x142EFC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x142EEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x142EFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {85EB80E6-CFDB-8A78-3DFD-5C4A0A153FB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64978 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x142EEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {85EB80E6-CFDB-8A78-3DFD-5C4A0A153FB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64977 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x142EDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {85EB80E6-CFDB-8A78-3DFD-5C4A0A153FB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64976 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x142DAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {85EB80E6-CFDB-8A78-3DFD-5C4A0A153FB1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64975 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136320 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x141FD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64975 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x14175D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x14175D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x141366 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x141366 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x141366 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14121A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3171896229-1118452936-121394838-612704192 Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14121A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD0F4BA5-3CC8-42AA-9656-3C07C01F8524 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x141110 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x141110 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x140A82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64959 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140A82 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x14094E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64959 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x14094E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x140671 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140671 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x14061B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x14061B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1405C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1405C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x140555 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64979 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x140555 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D7EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D7EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D7EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x13C9C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64978 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9C8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x13C9B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64977 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9B8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x13C9A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64976 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C9A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x13C979 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64975 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x13C979 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:42 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A469 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A469 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A469 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12BB5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12A9DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB092 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12B42C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137187 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137187 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137187 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1361D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136320 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136320 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1362C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1362C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1362C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13627E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13627E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13627E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1361D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2791718655-1286788896-87594930-844069133 Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1361D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6663EFF-D720-4CB2-B297-38050D794F32 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12ABEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133C47 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133C47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12FCE3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12FCE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12FCE3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12FA28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12FA28 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12FA28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F754 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F754 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12F754 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12BC42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12BC6A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12BC57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12BC6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D98B2470-4BC3-3FBA-B7BF-E4C8952224B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64957 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12BC57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D98B2470-4BC3-3FBA-B7BF-E4C8952224B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64956 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12BC42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D98B2470-4BC3-3FBA-B7BF-E4C8952224B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64955 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12BB5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D98B2470-4BC3-3FBA-B7BF-E4C8952224B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64954 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12B42C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64954 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x12ADDF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12ADDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ACE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ACE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ACE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AC6E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2094453615-1177061445-2305790110-2660128107 Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AC6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7CD6D36F-8845-4628-9E90-6F896B558E9E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12ABEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12ABEC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AB56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64959 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AB56 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AAC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64959 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AAC3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA8C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA77 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA60 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64958 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA4F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA1E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64957 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA2E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64956 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA1E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12AA0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64955 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12AA0E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x12A9DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64954 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x12A9DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A928 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A928 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12A928 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128EC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128EC3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128EC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110835 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110807 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1107E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB25A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB245 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB22E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB219 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110CDD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110AF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB291 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5403 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1221F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1221F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1221F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121290 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1213DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1213DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121382 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121382 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121382 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121339 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121339 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121339 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121290 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811682702-1142273068-2512234136-3580853396 Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121290 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E331A98E-B42C-4415-98A6-BD95947C6FD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:08 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FE03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x111CF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1126D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:11:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFCA15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110FF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A08C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A08C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:50 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x116904 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x116904 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x116904 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11658F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11658F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11658F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116315 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116315 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:47 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1127A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1127C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1127F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1127F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F88DFEB-5094-E86A-8C2D-A74E0D6E7F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1127C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F88DFEB-5094-E86A-8C2D-A74E0D6E7F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1127A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F88DFEB-5094-E86A-8C2D-A74E0D6E7F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1126D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F88DFEB-5094-E86A-8C2D-A74E0D6E7F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64937 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x111CF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64937 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1114AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1114AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11130F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11130F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11130F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111069 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401190743-1256350573-1939987360-1998809448 Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x111069 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F1F4357-636D-4AE2-A0DB-A17368692377 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x110FF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110FF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:46 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x110CDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64912 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110CDD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x110AF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64912 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110AF6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x110835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110835 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x110807 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x110807 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1107E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x1107E6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110133 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110133 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x10FF6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x10FF61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF6C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF61 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x10FF2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FF2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x10FE03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64937 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0x10FE03 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:45 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10C1A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10C1A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10C1A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:41 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1089AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1089AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1089AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106FCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107115 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107115 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1070BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1070BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1070BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107073 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107073 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107073 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106FCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-285966832-1335782189-3267560087-3168583180 Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106FCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 110B81F0-6B2D-4F9E-9702-C3C20CBEDCBC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1058AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1058AA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1058AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:36 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEC742 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB015 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEC164 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103AB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103AB8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103AB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:34 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102627 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10276E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10276E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102715 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102715 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102715 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1026CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1026CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1026CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102627 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-32653271-1327973323-646641844-3066790679 Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102627 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01F23FD7-43CB-4F27-B4F8-8A261783CBB6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:33 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD80D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD7BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD7BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFD7BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:29 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFCA15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFCA15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC9BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC9BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC9BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC973 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC973 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC973 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1527533231-1320499497-3453077675-2074248521 Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B0C4EAF-3929-4EB5-ABC8-D1CD4985A27B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB44B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF645C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF645C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:24 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDBA16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEF96D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEF96D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEF96D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF77E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF77E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF77E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF490 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF490 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEF490 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:21 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEC7BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEC79A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEC7A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEC7BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0EF5F6AA-F7C6-20EE-A1B3-DD8DE57D5F1F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64905 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEC79A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0EF5F6AA-F7C6-20EE-A1B3-DD8DE57D5F1F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64903 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEC7A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0EF5F6AA-F7C6-20EE-A1B3-DD8DE57D5F1F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64904 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEC742 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0EF5F6AA-F7C6-20EE-A1B3-DD8DE57D5F1F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64901 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:20 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEC164 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64901 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0xEB5B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-1106 Account Name: N-H2-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB5B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {34373943-A29B-13EF-04E7-5B98D13E46AA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB4FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB4FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB4FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB473 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2455560103-1316720371-1057519281-1556896141 Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 925CDFA7-8EF3-4E7B-B176-083F8D59CC5C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB44B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {672E4139-3232-0B66-1754-7C7EBAF5C152} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB44B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:19 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB291 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64912 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB291 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB25A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB25A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB245 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB245 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB22E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB22E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB219 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64909 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB219 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB092 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73F1416A-7641-455F-F5A3-5FC1A4354BFD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64907 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB092 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB04E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB05E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB06E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB06E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64905 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB06E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB05E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64904 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB05E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB04E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64903 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB04E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon ID: 0xEB015 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {661F2E76-4242-1F26-E9C9-E9B2F7BC199B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.18 Source Port: 64901 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: Administrator Account Domain: CBCI-853682-1 Logon ID: 0xEB015 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE941F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE941F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE941F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:11 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6128 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6128 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE52BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5403 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE53AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE53AA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE53AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5361 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5361 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE5361 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE52BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4039830070-1201960488-2401947815-625661856 Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE52BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0CAEA36-7628-47A4-A7D0-2A8FA0D74A25 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:10:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3473 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3473 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:56 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF563 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF563 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDF563 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCBA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCBA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCBA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:44 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB8CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDBA16 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDBA16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB9BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB9BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB9BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB974 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB974 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB974 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB8CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2101120556-1196138892-3643867055-3172038161 Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB8CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D3C8E2C-A18C-474B-AFFF-30D9117611BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:43 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8E80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8E80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8E80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:40 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7F44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD80D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD80D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8032 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8032 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD8032 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7FE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7FE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7FE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7F44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3998444997-1237436248-1398603424-399932853 Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7F44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EE536DC5-C758-49C1-A0FE-5C53B57DD617 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:39 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1D4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB5DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD75D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD75D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD75D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:23 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC2DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC2DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC2DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB497 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB5DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB5DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB586 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB586 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB586 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB53D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB53D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB53D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB497 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4264625597-1237945408-2582410382-2641698248 Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCB497 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FE3105BD-8C40-49C9-8E74-EC99C81D759D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:22 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD1E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5C9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5C9E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5C9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:09:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2A2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2A2B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2A2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1B8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1D4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1D4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C7D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C34 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1C34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1B8F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3724102380-1242547671-958718645-689993513 Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC1B8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DDF94AEC-C5D7-4A0F-B5E2-243929772029 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:58 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBF2BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBF2BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBF2BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:51 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBDE99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBDE99 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBDE99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD09F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD1E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD1E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD18D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD18D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD18D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD144 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD144 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD144 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD09F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-399000748-1187266395-1465771443-188262323 Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBD09F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17C844AC-3F5B-46C4-B3E5-5D57B3A7380B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:49 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA8857 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2521 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2521 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2521 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAABD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAABD4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAABD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA77B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA8857 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA8857 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA828B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA828B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA828B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA81C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA81C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA81C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA77B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4019965869-1218955509-2479796353-3542297420 Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA77B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF9BCFAD-C8F5-48A7-81B0-CE934C2B23D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:08:15 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x2D84C Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1334 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:06:16 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:06:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:06:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:06:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:05:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: administrator Account Domain: CBCI-853682-1 Logon ID: 0x683A2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:05:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: administrator Account Domain: CBCI-853682-1 Logon ID: 0x683A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0F5CBA40-1A9B-1F6F-1F6A-25E8792AD9AE} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:05:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-853682-1 Logon GUID: {0F5CBA40-1A9B-1F6F-1F6A-25E8792AD9AE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:05:02 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:59 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: administrator Account Domain: CBCI-853682-1 Logon ID: 0x50FEA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2769749875-904202468-959393171-500 Account Name: administrator Account Domain: CBCI-853682-1 Logon ID: 0x50FEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DD8CE42-2766-8D15-2AA8-97AC2860DAE2} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-853682-1 Logon GUID: {0DD8CE42-2766-8D15-2AA8-97AC2860DAE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:57 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4B6C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x4B6C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E1799277-071B-E348-D006-27EA9DD4F803} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x4B6C6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon GUID: {3F77E847-0869-1765-55E4-6BD662281CC4} Target Server: Target Server Name: n-h1-853682-1$ Additional Information: n-h1-853682-1$ Process Information: Process ID: 0x9b8 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x49A52 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x49A52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98E686C4-25D1-F77E-5914-33EF729A88ED} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x49A52 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:48 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3F411 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x3F411 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {633115C1-4BE5-A2CB-15BF-1956AE5A3897} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3F411 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon GUID: {9730818E-0FDD-7D49-981F-6FD6CE099D47} Target Server: Target Server Name: n-h1-853682-1$ Additional Information: n-h1-853682-1$ Process Information: Process ID: 0x1308 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:38 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3C106 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x3C106 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98E686C4-25D1-F77E-5914-33EF729A88ED} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3C106 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:37 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2BC33 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202268n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x2D84C Account Modified: Account Name: S-1-5-21-2769749875-904202468-959393171-500 Access Granted: Access Right: SeServiceLogonRight471700135690-921436483760003481614354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:28 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:26 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x2D84C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x2D84C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0001-c0b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84461fed9b8126b89643388b57de7808_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:18 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x2CE4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x2CE4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B275FE18-0BBA-9A65-271A-9BB8CF55F033} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x2CE4D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon GUID: {31E3611B-23C0-E023-4595-B16229C3F5F5} Target Server: Target Server Name: n-h1-853682-1$ Additional Information: n-h1-853682-1$ Process Information: Process ID: 0xc08 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2BC33 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2BC33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x138 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0001-bdb3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1472400138240-921436483760003481614337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 5:04:17 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Process Information: Process ID: 0x138 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Process Information: Process ID: 0x138 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:17 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x2539E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x2539E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FEC751AF-5CA0-BCF0-0E46-8CD16E31973D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x2539E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:10 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Domain: Domain Name: N-H1-853682-1 Domain ID: S-1-5-21-3417608337-3410704393-3308437301 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: - Min. Password Length: - Password History Length: - Machine Account Quota: - Mixed Domain Mode: 1 Domain Behavior Version: 7 OEM Information: 24 Additional Information: Privileges: -473900135690-921436483760003481614326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:09 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1CCF3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1CCF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FEC751AF-5CA0-BCF0-0E46-8CD16E31973D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1CCF3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1BCD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1.LOCAL Logon ID: 0x1BCD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FEC751AF-5CA0-BCF0-0E46-8CD16E31973D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x1BCD3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:07 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16FF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x15945 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0002-8fb3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202260n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201816n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:06 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41320n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:05 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x3f8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T17:04:04.506630500Z New Time: ?2022?-?08?-?18T17:04:04.708000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD63 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481614268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD37 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD63 Linked Logon ID: 0xBD37 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD37 Linked Logon ID: 0xBD63 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:04 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: CBCI-853682-1 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:03 PM7f7cb37c-b324-0005-81b3-7c7f24b3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x652F490200135680-921436483760003481614259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820868n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481614257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-853682-1.cbci-853682-1.local8/18/2022 5:04:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4184n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4184n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481614245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-1.cbci-853682-1.local8/18/2022 5:03:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T17:03:44.474412000Z New Time: ?2022?-?08?-?18T17:03:44.458000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-853682-18/18/2022 5:03:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x4A74D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:43 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x4A74D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:43 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:43 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:43 PM98cd7427-b31b-0001-60ca-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889614239Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security1448960n-h1-853682-18/18/2022 5:03:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Member: Security ID: S-1-5-21-2769749875-904202468-959393171-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Member: Security ID: S-1-5-21-2769749875-904202468-959393171-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: LDAP/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.67 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {3D3AAF54-DF5B-50D1-258D-879CD5C5EE44} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: ldap/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-853682-1.LOCAL Logon GUID: {7ADA79DB-B616-DE86-32EC-A90025F22E0D} Target Server: Target Server Name: n-ad-853682-1.cbci-853682-1.local Additional Information: cifs/n-ad-853682-1.cbci-853682-1.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.67 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244452n-h1-853682-18/18/2022 5:03:39 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:22 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84461fed9b8126b89643388b57de7808_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8244648n-h1-853682-18/18/2022 5:03:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:28:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:28:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:07:52 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:07:52 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Process Information: Process ID: 0x114c Process Name: C:\Program Files\Git\usr\bin\bash.exe479800138240-921436483760003481614219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:07:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:04:57 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x11CA04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:04:57 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:04:57 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:04:57 PM98cd7427-b31b-0004-5177-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x10B585 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:50 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x10B585 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:50 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:50 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:50 PM98cd7427-b31b-0003-b776-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x108494 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:48 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x108494 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:48 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:48 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:48 PM98cd7427-b31b-0004-0377-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1472400138240-921436483760003481614206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:09 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 4:04:09 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:09 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1 Process Information: Process ID: 0xdc4 Process Name: C:\Windows\System32\net1.exe479800138240-921436483760003481614204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:04:09 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:03:57 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:03:57 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe60 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:03:54 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0506100122900-921436483760003481614195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Write persisted key to file. Return Code: 0x0505800122920-921436483760003481614194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016506100122900-921886843722740531214193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0505800122920-921436483760003481614192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:02:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T16:01:35.284270600Z New Time: ?2022?-?08?-?18T16:01:35.279000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity43584n-h1-853682-18/18/2022 4:01:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x8AD60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:33 PM98cd7427-b31b-0000-6976-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x892DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x892DD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x892DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0001-d474-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: f20b6409-4024-4de7-9f1a-b85a8489c278 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84461fed9b8126b89643388b57de7808_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:01:28 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1472400138240-921436483760003481614173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:25 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 4:01:25 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:25 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:25 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:25 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:25 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:22 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:22 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:21 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Member: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x718EC Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Logon ID: 0x718EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xfec Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:19 PM98cd7427-b31b-0002-7b74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1472400138240-921436483760003481614159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:14 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 4:01:14 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:14 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1472200138240-921436483760003481614157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:14 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 New Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: Admin Account Domain: N-H1-853682-1 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -472000138240-921436483760003481614156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:14 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Member: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1001 Account Name: - Group: Security ID: S-1-5-21-3417608337-3410704393-3308437301-513 Group Name: None Group Domain: N-H1-853682-1 Additional Information: Privileges: -472800138260-921436483760003481614155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:01:14 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x4ECC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xe68 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0004-b674-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1472400138240-921436483760003481614151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 4:00:46 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Process Information: Process ID: 0xe68 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Process Information: Process ID: 0xe68 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:46 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-853682-1 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x218 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462500125440-921886843722740531214145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1 Process Information: Process ID: 0xf90 Process Name: C:\Windows\System32\LogonUI.exe479800138240-921436483760003481614144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:45 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa0c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:42 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa0c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:42 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:42 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:42 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:41 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:41 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:40 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_f9456706-f0d0-4a33-ad50-dbbdc507e7f1 Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon ID: 0x2B0FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-853682-1 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-853682-1 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-853682-1 Error Code: 0x0477600143360-921436483760003481614129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:38 PM98cd7427-b31b-0003-5874-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:37 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:37 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:37 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:37 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824916n-h1-853682-18/18/2022 4:00:37 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:36 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x21279 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:35 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-853682-18/18/2022 4:00:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:34 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T16:00:34.013040100Z New Time: ?2022?-?08?-?18T16:00:33.928000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4872n-h1-853682-18/18/2022 4:00:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5b4 Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481614086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-853682-18/18/2022 4:00:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:33 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3417608337-3410704393-3308437301-513 Group Name: None Group Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -473700138260-921436483760003481614081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-513 Account Domain: N-H1-853682-1 Old Account Name: None New Account Name: None Additional Information: Privileges: -478100138240-921436483760003481614080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3417608337-3410704393-3308437301-513 Group Name: None Group Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473700138260-921436483760003481614079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-503 Account Name: DefaultAccount Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-503 Account Name: DefaultAccount Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-501 Account Name: Guest Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-501 Account Name: Guest Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-500 Account Name: Administrator Account Domain: N-H1-853682-1 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -473500138260-921436483760003481614072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -478100138240-921436483760003481614071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -478100138240-921436483760003481614068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -478100138240-921436483760003481614065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -478100138240-921436483760003481614062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -478100138240-921436483760003481614059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -478100138240-921436483760003481614056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -478100138240-921436483760003481614053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -478100138240-921436483760003481614050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -473500138260-921436483760003481614048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -478100138240-921436483760003481614047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -478100138240-921436483760003481614044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -478100138240-921436483760003481614041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -473500138260-921436483760003481614039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -478100138240-921436483760003481614038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -478100138240-921436483760003481614035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -478100138240-921436483760003481614032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -478100138240-921436483760003481614029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -478100138240-921436483760003481614026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -478100138240-921436483760003481614023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -478100138240-921436483760003481614020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -473500138260-921436483760003481614018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -478100138240-921436483760003481614017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -478100138240-921436483760003481614014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -473500138260-921436483760003481614012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -478100138240-921436483760003481614011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -478100138240-921436483760003481614008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -478100138240-921436483760003481614005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -478100138240-921436483760003481614002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824864n-h1-853682-18/18/2022 4:00:32 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824920n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:20 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5C1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5AE Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5C1 Linked Logon ID: 0xB5AE Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5AE Linked Logon ID: 0xB5C1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:19 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:18 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-853682-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824880n-h1-853682-18/18/2022 4:00:18 PM98cd7427-b31b-0005-2a74-cd981bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61EC490200135680-921436483760003481613983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824888n-h1-853682-18/18/2022 4:00:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824828n-h1-853682-18/18/2022 4:00:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824828n-h1-853682-18/18/2022 4:00:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x338 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-853682-18/18/2022 4:00:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-853682-18/18/2022 4:00:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-853682-18/18/2022 4:00:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-853682-18/18/2022 4:00:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-853682-18/18/2022 4:00:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-853682-18/18/2022 4:00:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4512n-h1-853682-18/18/2022 4:00:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4512n-h1-853682-18/18/2022 4:00:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-853682-18/18/2022 4:00:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-18/18/2022 4:00:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-18/18/2022 4:00:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-853682-18/18/2022 4:00:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5d4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T16:00:02.807875800Z New Time: ?2022?-?08?-?18T16:00:02.798000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4596WIN-5T344G8GM1H8/18/2022 4:00:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613967Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security13001344WIN-5T344G8GM1H8/18/2022 4:00:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:57 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:57 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:42 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 3:59:42 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:42 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:42 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3417608337-3410704393-3308437301-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:42 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x354 Process Information: Process ID: 0x49c Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481613960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212WIN-5T344G8GM1H8/18/2022 3:59:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:08 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:08 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481613957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x634F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H8/18/2022 3:59:04 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481613945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H8/18/2022 3:59:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:02 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:02 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:02 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:02 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x514 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T15:59:01.986946700Z New Time: ?2022?-?08?-?18T15:59:02.332000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/18/2022 3:59:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:01 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:01 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:01 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:59:01 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:54 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:54 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574D6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574BD Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574D6 Linked Logon ID: 0x574BD Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574BD Linked Logon ID: 0x574D6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828896WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:53 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:52 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:52 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:52 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H8/18/2022 3:58:52 PM5b8e13d6-b31b-0005-dd13-8e5b1bb3d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x4FF57490200135680-921436483760003481613918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828872WIN-5T344G8GM1H8/18/2022 3:58:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828832WIN-5T344G8GM1H8/18/2022 3:58:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828832WIN-5T344G8GM1H8/18/2022 3:58:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x33c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H8/18/2022 3:58:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H8/18/2022 3:58:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H8/18/2022 3:58:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H8/18/2022 3:58:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H8/18/2022 3:58:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H8/18/2022 3:58:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4584WIN-5T344G8GM1H8/18/2022 3:58:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4584WIN-5T344G8GM1H8/18/2022 3:58:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212WIN-5T344G8GM1H8/18/2022 3:58:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188WIN-5T344G8GM1H8/18/2022 3:58:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H8/18/2022 3:58:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/18/2022 3:58:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H8/18/2022 3:58:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41980WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613901Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361144WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.464700125450-921436483760003481613900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:48:12 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481613895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481613891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe479800138240-921436483760003481613890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E31102041040462069321768212889613887Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361136WIN-5T344G8GM1H1/19/2018 9:47:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLog clearSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]